Question 1

What is CPCSC Level 1 and which Canadian defence contractors need it?

Accepted Answer

CPCSC (Canadian Program for Cyber Security Certification) Level 1 applies to Canadian defence contractors handling Low-Sensitivity Specified Information under contracts with DND (Department of National Defence) or PSPC (Public Services and Procurement Canada). Based on ITSP.10.171 (Canada's adaptation of NIST SP 800-171 Rev 3) published by CCCS (Canadian Centre for Cyber Security), Level 1 requires annual self-assessment and is being phased into procurements based on current government rollout guidance. Contract eligibility depends on solicitation requirements, so validate current RFP language for each opportunity.

Question 2

How long does CPCSC Level 1 implementation take for Canadian defence contractors?

Accepted Answer

CPCSC (Canadian Program for Cyber Security Certification) Level 1 implementation commonly takes 3-6 months or more for small Canadian defence contractors (10-50 employees), though actual timelines vary based on starting security posture and available resources. Timeline typically includes: gap analysis against ITSP.10.171 (13 controls) (2-4 weeks), technical control implementation including network segmentation and MFA (2-3 months), policy development (3-4 weeks), staff training (2-3 weeks), and self-assessment preparation using PSPC-provided tools (2-3 weeks). A structured methodology can help streamline this timeline through pre-configured ITSP.10.171 control templates. Starting CPCSC implementation now positions you ahead of the Spring 2026 mandatory deadline and avoids last-minute resource competition.

Question 3

How much does CPCSC Level 1 implementation cost for small contractors?

Accepted Answer

CPCSC (Canadian Program for Cyber Security Certification) Level 1 implementation costs vary significantly based on organisation size, existing security posture, and whether you take a DIY or consultant-supported approach. Key cost areas include: technical infrastructure (network segmentation equipment, security tools, MFA), professional services for gap analysis and implementation guidance if using a consultant, and internal labour (project management, IT implementation, documentation). Level 1 uses self-assessment (no C3PAO fees). Annual maintenance covers recertification effort plus tool subscriptions. Pilotcore's fixed-scope engagements can reduce budget uncertainty with a scoped estimate based on your baseline and contract scope before starting, plus documented change-control checkpoints if scope shifts. Book a consultation for a personalised estimate based on your environment.

Question 4

Can Canadian companies implement CPCSC themselves or do they need a consultant?

Accepted Answer

Canadian defence contractors can implement CPCSC (Canadian Program for Cyber Security Certification) Level 1 themselves if they have: senior IT security expertise familiar with ITSP.10.171, understanding of CCCS (Canadian Centre for Cyber Security) requirements, significant engineering capacity for implementation, and experience with compliance documentation. Most small contractors (10-50 employees) benefit from consultant support because: ITSP.10.171 has 110 detailed practices (13 for Level 1) requiring interpretation, PSPC self-assessment tools require specific documentation formats, implementation mistakes discovered during assessment require expensive rework, and consultants can help compress the learning curve. Pilotcore offers hybrid approach: consultant for gap analysis and roadmap, internal team for implementation with Pilotcore guidance and pre-configured templates.

Question 5

How does CPCSC differ from CMMC for companies working with both Canadian and US defence?

Accepted Answer

CPCSC (Canadian Program for Cyber Security Certification) applies to Canadian DND (Department of National Defence)/PSPC (Public Services and Procurement Canada) contracts while CMMC (Cybersecurity Maturity Model Certification) applies to US DoD (Department of Defense) contracts. Both derive from NIST SP 800-171 baseline, but CPCSC uses ITSP.10.171 (based on Rev 3, 2024) while CMMC uses Rev 2 (2021). Assessment bodies differ by accreditation: CPCSC C3PAOs are accredited by the Standards Council of Canada (SCC), while CMMC C3PAOs are accredited by Cyber-AB. Information classifications differ: CPCSC protects Protected A/B/C and Specified Information, CMMC protects CUI (Controlled Unclassified Information). Timeline differs based on current program guidance and contract rollout. No reciprocity agreement exists yet. Cross-border contractors often need both certifications, and shared controls can reduce duplicate effort depending on contract scope and assessor interpretation.

Be CPCSC Ready Before Your Next DND or PSPC Solicitation

Need the CPCSC Level 1 checklist first?

How Pilotcore Can Prepare You for CPCSC Certification

Gap Analysis Against ITSP.10.171

Technical Control Implementation

Policies, Procedures & SSP

Mock Assessment & Team Training

No Black Box Consulting

Canadian defence expertise your C3PAO will recognise

Book a CPCSC Readiness Call

Frequently Asked Questions About CPCSC Compliance

What is CPCSC Level 1 and which Canadian defence contractors need it?

How long does CPCSC Level 1 implementation take for Canadian defence contractors?

How much does CPCSC Level 1 implementation cost for small contractors?

Can Canadian companies implement CPCSC themselves or do they need a consultant?

How does CPCSC differ from CMMC for companies working with both Canadian and US defence?

Ready to talk about your CPCSC plan?